> On May 30, 2018, at 12:54 PM, Michał Trojnara <Michal.Trojnara@xxxxxxxxxxx> wrote: > >> I am rather puzzled as to why you chose to eliminate >> not just fixed DH, but also the ephemeral finite-field >> DH key exchange. What's wrong with the DHE ciphers? > > Mostly precomputation attacks: https://weakdh.org/logjam.html Which is an issue with *weak* DH parameters, which are no longer accepted by OpenSSL. Ephemeral DH is in the majority of server implementations actually ephemeral. The group is fixed, but the server private key is per session, or with old unpatched code randomly chosen by each server. It is not clear to me that EECDH is fundamentally stronger. Indeed it might prove weak sooner to QC attacks if/when those become practical. So I would disable only kDH, but not DHE. Keep in mind that some remote systems will not support EECDH, and by disabling DHE, you get only kRSA, which is worse. So I think that '!DH' is unwise. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
